What is CVE-2021-39164?

CVE-2021-39164 is a vulnerability in Matrix Synapse versions 1.41.0 and prior that allows unauthorized users to access the membership (list of members) of a room if they know the room ID and the room has shared history enabled.

What is the severity of CVE-2021-39164?

The severity of CVE-2021-39164 is low, with a CVSS severity score of 3.1.

How can unauthorized users access the membership of a vulnerable room in Matrix Synapse?

Unauthorized users can access the membership of a vulnerable room in Matrix Synapse if they know the room ID and the room has shared history enabled.

Which versions of Matrix Synapse are affected by CVE-2021-39164?

Matrix Synapse versions 1.41.0 and prior are affected by CVE-2021-39164.

How can I fix CVE-2021-39164 in Matrix Synapse?

To fix CVE-2021-39164, upgrade to version 1.41.1 or later of Matrix Synapse.

Vulnerability/
CVE-2021-39164

low

3.5

CWE

200 863

31/8/2021

25/10/2022

CVE-2021-39164: Infoleak

First published: Tue Aug 31 2021(Updated: )

Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the membership (list of members, with their display names) of a room if they know the ID of the room. The vulnerability is limited to rooms with `shared` history visibility. Furthermore, the unauthorised user must be using an account on a vulnerable homeserver that is in the room. Server administrators should upgrade to 1.41.1 or later in order to receive the patch. One workaround is available. Administrators of servers that use a reverse proxy could, with potentially unacceptable loss of functionality, block the endpoints: `/_matrix/client/r0/rooms/{room_id}/members` with `at` query parameter, and `/_matrix/client/unstable/rooms/{room_id}/members` with `at` query parameter.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Matrix Synapse	<1.41.1
Fedoraproject Fedora	=34
Fedoraproject Fedora	=35

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2021-39164?
CVE-2021-39164 is a vulnerability in Matrix Synapse versions 1.41.0 and prior that allows unauthorized users to access the membership (list of members) of a room if they know the room ID and the room has shared history enabled.
What is the severity of CVE-2021-39164?
The severity of CVE-2021-39164 is low, with a CVSS severity score of 3.1.
How can unauthorized users access the membership of a vulnerable room in Matrix Synapse?
Unauthorized users can access the membership of a vulnerable room in Matrix Synapse if they know the room ID and the room has shared history enabled.
Which versions of Matrix Synapse are affected by CVE-2021-39164?
Matrix Synapse versions 1.41.0 and prior are affected by CVE-2021-39164.
How can I fix CVE-2021-39164 in Matrix Synapse?
To fix CVE-2021-39164, upgrade to version 1.41.1 or later of Matrix Synapse.

collector/nvd-index
agent/event
vendor/matrix
canonical/matrix synapse
vendor/fedoraproject
canonical/fedoraproject fedora
version/fedoraproject fedora/34
version/fedoraproject fedora/35

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.